This weekend I added a new session manager to my bottlesession library, this one stores the session information in a “secure cookie” in the browser. So now bottlesession includes two easy ways of managing sessions. Using a database is going to be trickier, because no one schema is going to fit all users.
To read more about my continued experimentation with the bottle web application micro-framework, read the remainder of this post.
Of course, a secure cookie requires a key to unlock it, and so I had this idea of generating a key that's the same across multiple runs, but difficult to guess or probe for without access to the server. I made a small function that uses the stable part of the “uuid1()”, plus the time of the last system boot (found via “/proc/uptime”, so it's Linux-only), and then I generate an sha1 digest of that.
However, I still consider that to be fairly week, because a user with access to the system could figure this out. For a trivial web app used by only trusted users, it's fine, but I'm afraid of people using it without understanding it. So I'll probably get rid of this automatic secret generation and require that developers pass one in when creating the CookieSession.
This automatic secret only happens when one isn't specified. They can be specified in two ways: either by “CookieSession(secret = 'notvery')”, or they can be read from a file with “CookieSession(secret_file = '/path/to/secret')”. This latter method I support because I tend to like to keep the secret out of my code and instead store it in a config file.
I continue to really like the bottle microframework. I ported an old webapp I had built using Myghty and it's Apache publisher, which was sometimes working fine and sometimes generating an error on pages. That port went very well, once I had bottlesession, and the port was done in an evening of hacking.
bottlesession continues to reside at github, so please visit there if you want the code or to take a look at it. The README (available on that page above) includes some simple examples.
I haven't gotten any feedback on the bottle mailing list, but it is the holiday season so maybe some feedback will be coming soon. Or maybe just nobody is interested… Compared to the alternatives for doing authentication in bottle, I think bottlesession is pretty compelling.comments powered by Disqus